Log Message
Merge r167193 - [GStreamer] No CORS support for media elements https://bugs.webkit.org/show_bug.cgi?id=99037
Patch by Youenn Fablet <youenn.fab...@crf.canon.fr> on 2014-04-13
Reviewed by Philippe Normand.
Source/WebCore:
Added CORS access control check to media sources when crossorigin attribute is set.
Added getter to CORS access control check status (used to compute whether the stream is tainted or not).
Related test is http/tests/security/video-cross-origin-readback.html.
Disabled access to cross-origin streams that fail CORS check when crossorigin attribute is set.
Related test is http/tests/security/video-cross-origin-accessfailure.html.
Tests: http/tests/security/video-cross-origin-accessfailure.html
http/tests/security/video-cross-origin-accesssameorigin.html
* platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
(WebCore::MediaPlayerPrivateGStreamer::didPassCORSAccessCheck): Return whether media is cross-origin (tainted) or not by querying the gstreamer source layer.
* platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h: Added MediaPlayerPrivateGStreamer::didPassCORSAccessCheck declaration.
* platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp:
(webKitWebSrcStart): Passed CORS mode parameter to the streaming client. In case of CORS check failure, stop the resource loading.
(webKitSrcPassedCORSAccessCheck): Return whether CORS access control check was done and successful.
(StreamingClient::handleResponseReceived): Take a parameter to assign the CORS access control check result.
(CachedResourceStreamingClient::CachedResourceStreamingClient): Updated setting of the ResourceLoaderOptions according CORS mode.
(CachedResourceStreamingClient::responseReceived): Check CORS and pass result to handleResponseReceived.
(ResourceHandleStreamingClient::didReceiveResponse): No CORS check.
* platform/graphics/gstreamer/WebKitWebSourceGStreamer.h: Added webKitSrcPassedCORSAccessCheck declaration.
LayoutTests:
http/tests/security/video-cross-origin-accessfailure.html verifies that cross-origin streams that fail CORS check
are not played when crossorigin attribute is set.
http/tests/security/video-cross-origin-accesssameorigin.html verifies that access to same-origin streams
are played when crossorigin attribute is set.
* http/tests/security/video-cross-origin-accessfailure-expected.txt: Added.
* http/tests/security/video-cross-origin-accessfailure.html: Added.
* http/tests/security/video-cross-origin-accesssameorigin-expected.txt: Added.
* http/tests/security/video-cross-origin-accesssameorigin.html: Added.
* platform/efl/TestExpectations: Enabled http/tests/security/video-cross-origin-readback.html.
* platform/gtk/TestExpectations: Ditto.
* platform/mac/TestExpectations: Disabled http/tests/security/video-cross-origin-accessfailure.html.
Modified Paths
- releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog
- releases/WebKitGTK/webkit-2.4/LayoutTests/platform/efl/TestExpectations
- releases/WebKitGTK/webkit-2.4/LayoutTests/platform/gtk/TestExpectations
- releases/WebKitGTK/webkit-2.4/LayoutTests/platform/mac/TestExpectations
- releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog
- releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
- releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h
- releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp
- releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.h
Added Paths
- releases/WebKitGTK/webkit-2.4/LayoutTests/http/tests/security/video-cross-origin-accessfailure-expected.txt
- releases/WebKitGTK/webkit-2.4/LayoutTests/http/tests/security/video-cross-origin-accessfailure.html
- releases/WebKitGTK/webkit-2.4/LayoutTests/http/tests/security/video-cross-origin-accesssameorigin-expected.txt
- releases/WebKitGTK/webkit-2.4/LayoutTests/http/tests/security/video-cross-origin-accesssameorigin.html
Property Changed
Diff
Modified: releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog (167241 => 167242)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog 2014-04-14 11:25:51 UTC (rev 167241)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog 2014-04-14 11:40:49 UTC (rev 167242)
@@ -1,3 +1,23 @@
+2014-04-13 Youenn Fablet <youenn.fab...@crf.canon.fr>
+
+ [GStreamer] No CORS support for media elements
+ https://bugs.webkit.org/show_bug.cgi?id=99037
+
+ Reviewed by Philippe Normand.
+
+ http/tests/security/video-cross-origin-accessfailure.html verifies that cross-origin streams that fail CORS check
+ are not played when crossorigin attribute is set.
+ http/tests/security/video-cross-origin-accesssameorigin.html verifies that access to same-origin streams
+ are played when crossorigin attribute is set.
+
+ * http/tests/security/video-cross-origin-accessfailure-expected.txt: Added.
+ * http/tests/security/video-cross-origin-accessfailure.html: Added.
+ * http/tests/security/video-cross-origin-accesssameorigin-expected.txt: Added.
+ * http/tests/security/video-cross-origin-accesssameorigin.html: Added.
+ * platform/efl/TestExpectations: Enabled http/tests/security/video-cross-origin-readback.html.
+ * platform/gtk/TestExpectations: Ditto.
+ * platform/mac/TestExpectations: Disabled http/tests/security/video-cross-origin-accessfailure.html.
+
2014-03-21 Oliver Hunt <oli...@apple.com>
Fix semantics of JS execution when assigning an object to document.location
Added: releases/WebKitGTK/webkit-2.4/LayoutTests/http/tests/security/video-cross-origin-accessfailure-expected.txt (0 => 167242)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/http/tests/security/video-cross-origin-accessfailure-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/http/tests/security/video-cross-origin-accessfailure-expected.txt 2014-04-14 11:40:49 UTC (rev 167242)
@@ -0,0 +1,3 @@
+EVENT(error)
+END OF TEST
+
Added: releases/WebKitGTK/webkit-2.4/LayoutTests/http/tests/security/video-cross-origin-accessfailure.html (0 => 167242)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/http/tests/security/video-cross-origin-accessfailure.html (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/http/tests/security/video-cross-origin-accessfailure.html 2014-04-14 11:40:49 UTC (rev 167242)
@@ -0,0 +1,27 @@
+<html>
+ <!-- Trying to access a cross origin resource, but response does not contain CORS headers.
+ Video play back is expected to fail. -->
+ <body _onload_="start()">
+ <script src=""
+ <script src=""
+ <script>
+ waitForEvent('error', function() {
+ endTest();
+ });
+
+ waitForEvent('playing', function() {
+ failTest("Video stream access should not be granted");
+ });
+
+ function start() {
+ findMediaElement();
+ var mediaFile = findMediaFile("video", "../../media/resources/test");
+ video.src = "" + mediaFile;
+ video.play();
+ }
+ </script>
+
+ <video crossorigin></video>
+ <canvas></canvas>
+ </body>
+</head>
Property changes on: releases/WebKitGTK/webkit-2.4/LayoutTests/http/tests/security/video-cross-origin-accessfailure.html
___________________________________________________________________
Added: svn:executable
Added: releases/WebKitGTK/webkit-2.4/LayoutTests/http/tests/security/video-cross-origin-accesssameorigin-expected.txt (0 => 167242)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/http/tests/security/video-cross-origin-accesssameorigin-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/http/tests/security/video-cross-origin-accesssameorigin-expected.txt 2014-04-14 11:40:49 UTC (rev 167242)
@@ -0,0 +1,3 @@
+EVENT(playing)
+END OF TEST
+
Added: releases/WebKitGTK/webkit-2.4/LayoutTests/http/tests/security/video-cross-origin-accesssameorigin.html (0 => 167242)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/http/tests/security/video-cross-origin-accesssameorigin.html (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/http/tests/security/video-cross-origin-accesssameorigin.html 2014-04-14 11:40:49 UTC (rev 167242)
@@ -0,0 +1,27 @@
+<html>
+ <!-- Trying to access a same origin resource, video element setting crossorigin attribute.
+ Video play back is expected to succeed. -->
+ <body _onload_="start()">
+ <script src=""
+ <script src=""
+ <script>
+ waitForEvent('error', function() {
+ failTest("Video stream access should succeed");
+ });
+
+ waitForEvent('playing', function() {
+ endTest();
+ });
+
+ function start() {
+ findMediaElement();
+ var mediaFile = findMediaFile("video", "../../media/resources/test");
+ video.src = ""
+ video.play();
+ }
+ </script>
+
+ <video crossorigin></video>
+ <canvas></canvas>
+ </body>
+</head>
Property changes on: releases/WebKitGTK/webkit-2.4/LayoutTests/http/tests/security/video-cross-origin-accesssameorigin.html
___________________________________________________________________
Added: svn:executable
Modified: releases/WebKitGTK/webkit-2.4/LayoutTests/platform/efl/TestExpectations (167241 => 167242)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/platform/efl/TestExpectations 2014-04-14 11:25:51 UTC (rev 167241)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/platform/efl/TestExpectations 2014-04-14 11:40:49 UTC (rev 167242)
@@ -306,9 +306,6 @@
# Pre-HMTL5 parser quirks only apply to the mac port for now.
fast/parser/pre-html5-parser-quirks.html [ WontFix ]
-# No CORS support for media elements is implemented yet.
-Bug(EFL) http/tests/security/video-cross-origin-readback.html [ Failure ]
-
# Perf tests are way too slow and some may fail due to timeout.
perf/adding-radio-buttons.html [ WontFix ]
perf/array-binary-search.html [ WontFix ]
Modified: releases/WebKitGTK/webkit-2.4/LayoutTests/platform/gtk/TestExpectations (167241 => 167242)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/platform/gtk/TestExpectations 2014-04-14 11:25:51 UTC (rev 167241)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/platform/gtk/TestExpectations 2014-04-14 11:40:49 UTC (rev 167242)
@@ -360,9 +360,6 @@
webkit.org/b/79203 webaudio/mediastreamaudiodestinationnode.html [ Skip ]
webkit.org/b/79203 webaudio/mediastreamaudiosourcenode.html [ Skip ]
-# No CORS support for media elements is implemented yet.
-webkit.org/b/99037 http/tests/security/video-cross-origin-readback.html [ Failure ]
-
# New test infrastructure required -- need isolated worlds
webkit.org/b/31508 http/tests/security/isolatedWorld [ Skip ]
webkit.org/b/31508 plugins/npruntime/overrides-all-properties.html [ Skip ]
Modified: releases/WebKitGTK/webkit-2.4/LayoutTests/platform/mac/TestExpectations (167241 => 167242)
--- releases/WebKitGTK/webkit-2.4/LayoutTests/platform/mac/TestExpectations 2014-04-14 11:25:51 UTC (rev 167241)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/platform/mac/TestExpectations 2014-04-14 11:40:49 UTC (rev 167242)
@@ -522,6 +522,7 @@
# No CORS support for media elements is implemented yet.
http/tests/security/video-cross-origin-readback.html
+http/tests/security/video-cross-origin-accessfailure.html
# media/audio-repaint.html sometimes fails on Lion Debug (Tests)
webkit.org/b/84357 media/audio-repaint.html [ Failure ]
Property changes on: releases/WebKitGTK/webkit-2.4/LayoutTests/platform/mac/TestExpectations
___________________________________________________________________
Added: svn:executable
Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog (167241 => 167242)
--- releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog 2014-04-14 11:25:51 UTC (rev 167241)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog 2014-04-14 11:40:49 UTC (rev 167242)
@@ -1,3 +1,33 @@
+2014-04-13 Youenn Fablet <youenn.fab...@crf.canon.fr>
+
+ [GStreamer] No CORS support for media elements
+ https://bugs.webkit.org/show_bug.cgi?id=99037
+
+ Reviewed by Philippe Normand.
+
+ Added CORS access control check to media sources when crossorigin attribute is set.
+
+ Added getter to CORS access control check status (used to compute whether the stream is tainted or not).
+ Related test is http/tests/security/video-cross-origin-readback.html.
+
+ Disabled access to cross-origin streams that fail CORS check when crossorigin attribute is set.
+ Related test is http/tests/security/video-cross-origin-accessfailure.html.
+
+ Tests: http/tests/security/video-cross-origin-accessfailure.html
+ http/tests/security/video-cross-origin-accesssameorigin.html
+
+ * platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp:
+ (WebCore::MediaPlayerPrivateGStreamer::didPassCORSAccessCheck): Return whether media is cross-origin (tainted) or not by querying the gstreamer source layer.
+ * platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h: Added MediaPlayerPrivateGStreamer::didPassCORSAccessCheck declaration.
+ * platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp:
+ (webKitWebSrcStart): Passed CORS mode parameter to the streaming client. In case of CORS check failure, stop the resource loading.
+ (webKitSrcPassedCORSAccessCheck): Return whether CORS access control check was done and successful.
+ (StreamingClient::handleResponseReceived): Take a parameter to assign the CORS access control check result.
+ (CachedResourceStreamingClient::CachedResourceStreamingClient): Updated setting of the ResourceLoaderOptions according CORS mode.
+ (CachedResourceStreamingClient::responseReceived): Check CORS and pass result to handleResponseReceived.
+ (ResourceHandleStreamingClient::didReceiveResponse): No CORS check.
+ * platform/graphics/gstreamer/WebKitWebSourceGStreamer.h: Added webKitSrcPassedCORSAccessCheck declaration.
+
2014-03-26 Jer Noble <jer.no...@apple.com>
REGRESSION(r162679): Poster image visible under the video
Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp (167241 => 167242)
--- releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp 2014-04-14 11:25:51 UTC (rev 167241)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp 2014-04-14 11:40:49 UTC (rev 167242)
@@ -1908,6 +1908,13 @@
gst_element_post_message(m_playBin.get(), message);
}
+bool MediaPlayerPrivateGStreamer::didPassCORSAccessCheck() const
+{
+ if (WEBKIT_IS_WEB_SRC(m_source.get()))
+ return webKitSrcPassedCORSAccessCheck(WEBKIT_WEB_SRC(m_source.get()));
+ return false;
}
+}
+
#endif // USE(GSTREAMER)
Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h (167241 => 167242)
--- releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h 2014-04-14 11:25:51 UTC (rev 167241)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.h 2014-04-14 11:40:49 UTC (rev 167242)
@@ -152,6 +152,7 @@
virtual String engineDescription() const { return "GStreamer"; }
virtual bool isLiveStream() const { return m_isStreaming; }
+ virtual bool didPassCORSAccessCheck() const;
private:
GRefPtr<GstElement> m_playBin;
Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp (167241 => 167242)
--- releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp 2014-04-14 11:25:51 UTC (rev 167241)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.cpp 2014-04-14 11:40:49 UTC (rev 167242)
@@ -27,6 +27,7 @@
#include "CachedResourceHandle.h"
#include "CachedResourceLoader.h"
#include "CachedResourceRequest.h"
+#include "CrossOriginAccessControl.h"
#include "GRefPtrGStreamer.h"
#include "GStreamerUtilities.h"
#include "MediaPlayer.h"
@@ -35,6 +36,7 @@
#include "ResourceHandleClient.h"
#include "ResourceRequest.h"
#include "ResourceResponse.h"
+#include "SecurityOrigin.h"
#include "SharedBuffer.h"
#include <gst/app/gstappsrc.h>
#include <gst/gst.h>
@@ -47,6 +49,12 @@
using namespace WebCore;
+enum CORSAccessCheckResult {
+ CORSNoCheck,
+ CORSSuccess,
+ CORSFailure
+};
+
class StreamingClient {
public:
StreamingClient(WebKitWebSrc*);
@@ -57,7 +65,7 @@
protected:
char* createReadBuffer(size_t requestedSize, size_t& actualSize);
- void handleResponseReceived(const ResourceResponse&);
+ void handleResponseReceived(const ResourceResponse&, CORSAccessCheckResult);
void handleDataReceived(const char*, int);
void handleNotifyFinished();
@@ -67,7 +75,7 @@
class CachedResourceStreamingClient : public CachedRawResourceClient, public StreamingClient {
WTF_MAKE_NONCOPYABLE(CachedResourceStreamingClient); WTF_MAKE_FAST_ALLOCATED;
public:
- CachedResourceStreamingClient(WebKitWebSrc*, CachedResourceLoader*, const ResourceRequest&);
+ CachedResourceStreamingClient(WebKitWebSrc*, CachedResourceLoader*, const ResourceRequest&, MediaPlayerClient::CORSMode);
virtual ~CachedResourceStreamingClient();
// StreamingClient virtual methods.
@@ -82,6 +90,7 @@
virtual void notifyFinished(CachedResource*);
CachedResourceHandle<CachedRawResource> m_resource;
+ RefPtr<SecurityOrigin> m_origin;
};
class ResourceHandleStreamingClient : public ResourceHandleClient, public StreamingClient {
@@ -119,6 +128,8 @@
StreamingClient* client;
+ CORSAccessCheckResult corsAccessCheck;
+
guint64 offset;
guint64 size;
gboolean seekable;
@@ -468,6 +479,7 @@
GMutexLocker locker(GST_OBJECT_GET_LOCK(src));
priv->startID = 0;
+ priv->corsAccessCheck = CORSNoCheck;
if (!priv->uri) {
GST_ERROR_OBJECT(src, "No URI provided");
@@ -515,7 +527,7 @@
if (priv->player) {
if (CachedResourceLoader* loader = priv->player->cachedResourceLoader())
- priv->client = new CachedResourceStreamingClient(src, loader, request);
+ priv->client = new CachedResourceStreamingClient(src, loader, request, priv->player->mediaPlayerClient()->mediaPlayerCORSMode());
}
if (!priv->client)
@@ -802,6 +814,11 @@
src->priv->player = player;
}
+bool webKitSrcPassedCORSAccessCheck(WebKitWebSrc* src)
+{
+ return src->priv->corsAccessCheck == CORSSuccess;
+}
+
StreamingClient::StreamingClient(WebKitWebSrc* src)
: m_src(adoptGRef(static_cast<GstElement*>(gst_object_ref(src))))
{
@@ -830,16 +847,19 @@
return getGstBufferDataPointer(buffer);
}
-void StreamingClient::handleResponseReceived(const ResourceResponse& response)
+void StreamingClient::handleResponseReceived(const ResourceResponse& response, CORSAccessCheckResult corsAccessCheck)
{
WebKitWebSrc* src = ""
WebKitWebSrcPrivate* priv = src->priv;
GST_DEBUG_OBJECT(src, "Received response: %d", response.httpStatusCode());
- if (response.httpStatusCode() >= 400) {
- // Received error code
- GST_ELEMENT_ERROR(src, RESOURCE, READ, ("Received %d HTTP error code", response.httpStatusCode()), (0));
+ if (response.httpStatusCode() >= 400 || corsAccessCheck == CORSFailure) {
+ // Received error code or CORS check failed
+ if (corsAccessCheck == CORSFailure)
+ GST_ELEMENT_ERROR(src, RESOURCE, READ, ("Cross-origin stream load denied by Cross-Origin Resource Sharing policy."), (nullptr));
+ else
+ GST_ELEMENT_ERROR(src, RESOURCE, READ, ("Received %d HTTP error code", response.httpStatusCode()), (nullptr));
gst_app_src_end_of_stream(priv->appsrc);
webKitWebSrcStop(src);
return;
@@ -847,6 +867,8 @@
GMutexLocker locker(GST_OBJECT_GET_LOCK(src));
+ priv->corsAccessCheck = corsAccessCheck;
+
if (priv->seekID) {
GST_DEBUG_OBJECT(src, "Seek in progress, ignoring response");
return;
@@ -860,7 +882,7 @@
} else if (response.httpStatusCode() != 206) {
// Range request completely failed.
locker.unlock();
- GST_ELEMENT_ERROR(src, RESOURCE, READ, ("Received unexpected %d HTTP status code", response.httpStatusCode()), (0));
+ GST_ELEMENT_ERROR(src, RESOURCE, READ, ("Received unexpected %d HTTP status code", response.httpStatusCode()), (nullptr));
gst_app_src_end_of_stream(priv->appsrc);
webKitWebSrcStop(src);
return;
@@ -1018,11 +1040,22 @@
}
}
-CachedResourceStreamingClient::CachedResourceStreamingClient(WebKitWebSrc* src, CachedResourceLoader* resourceLoader, const ResourceRequest& request)
+CachedResourceStreamingClient::CachedResourceStreamingClient(WebKitWebSrc* src, CachedResourceLoader* resourceLoader, const ResourceRequest& request, MediaPlayerClient::CORSMode corsMode)
: StreamingClient(src)
{
DataBufferingPolicy bufferingPolicy = request.url().protocolIs("blob") ? BufferData : DoNotBufferData;
- CachedResourceRequest cacheRequest(request, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, DoNotAllowStoredCredentials, DoNotAskClientForCrossOriginCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType));
+ RequestOriginPolicy corsPolicy = corsMode != MediaPlayerClient::Unspecified ? PotentiallyCrossOriginEnabled : UseDefaultOriginRestrictionsForType;
+ StoredCredentials allowCredentials = corsMode == MediaPlayerClient::UseCredentials ? AllowStoredCredentials : DoNotAllowStoredCredentials;
+ ResourceLoaderOptions options(SendCallbacks, DoNotSniffContent, bufferingPolicy, allowCredentials, DoNotAskClientForCrossOriginCredentials, DoSecurityCheck, corsPolicy);
+
+ CachedResourceRequest cacheRequest(request, options);
+
+ if (corsMode != MediaPlayerClient::Unspecified) {
+ m_origin = resourceLoader->document() ? resourceLoader->document()->securityOrigin() : nullptr;
+ updateRequestForAccessControl(cacheRequest.mutableResourceRequest(), m_origin.get(), allowCredentials);
+ }
+
+ // TODO: Decide whether to use preflight mode for cross-origin requests (see http://wkbug.com/131484).
m_resource = resourceLoader->requestRawResource(cacheRequest);
if (m_resource)
m_resource->addClient(this);
@@ -1052,9 +1085,12 @@
return createReadBuffer(requestedSize, actualSize);
}
-void CachedResourceStreamingClient::responseReceived(CachedResource*, const ResourceResponse& response)
+void CachedResourceStreamingClient::responseReceived(CachedResource* resource, const ResourceResponse& response)
{
- handleResponseReceived(response);
+ CORSAccessCheckResult corsAccessCheck = CORSNoCheck;
+ if (m_origin)
+ corsAccessCheck = (m_origin->canRequest(response.url()) || resource->passesAccessControlCheck(m_origin.get())) ? CORSSuccess : CORSFailure;
+ handleResponseReceived(response, corsAccessCheck);
}
void CachedResourceStreamingClient::dataReceived(CachedResource*, const char* data, int length)
@@ -1116,7 +1152,7 @@
void ResourceHandleStreamingClient::didReceiveResponse(ResourceHandle*, const ResourceResponse& response)
{
- handleResponseReceived(response);
+ handleResponseReceived(response, CORSNoCheck);
}
void ResourceHandleStreamingClient::didReceiveData(ResourceHandle*, const char* data, unsigned length, int)
Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.h (167241 => 167242)
--- releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.h 2014-04-14 11:25:51 UTC (rev 167241)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/platform/graphics/gstreamer/WebKitWebSourceGStreamer.h 2014-04-14 11:40:49 UTC (rev 167242)
@@ -47,6 +47,7 @@
GType webkit_web_src_get_type(void);
void webKitWebSrcSetMediaPlayer(WebKitWebSrc*, WebCore::MediaPlayer*);
+bool webKitSrcPassedCORSAccessCheck(WebKitWebSrc*);
G_END_DECLS
_______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
